ISO 27001 Control 6.5: Responsibilities After Termination or Change of Employment – How to Protect Information When People Move On
ISO 27001 Control 6.5 Responsibilities after termination or change of employment is all about what happens when people leave your organisation or move into a different role.
Even when an employee, contractor, or consultant walks out the door (physically or virtually), their responsibilities don’t completely disappear. If you don’t handle this properly, ex-staff can still access your systems, keep sensitive information, or unintentionally misuse it later.
This guide explains what ISO 27001 Control 6.5 is really asking for, and how to build practical processes that protect your information when roles change or employment ends.
What ISO 27001 Control 6.5 Actually Requires
In plain English, ISO 27001 Control 6.5 – Responsibilities after termination or change of employment expects you to:
- Define which information security responsibilities continue after someone leaves.
- Make sure those responsibilities are written down in contracts, NDAs, policies, and procedures.
- Ensure access is removed, assets are returned, and responsibilities are reassigned when roles change.
- Apply all of this not just to employees, but also to contractors, suppliers, and other external personnel.
Most of this should sit inside your joiners–movers–leavers (JML) process. Control 6.5 is essentially saying:
“When someone leaves or changes role, you must deliberately close the loop from a security perspective.”
Step 1 – Build ISO 27001 Control 6.5 into Your JML Process
Start by mapping where termination and role change already sit in your HR and IT processes:
- How do you currently process leavers?
- How are internal job moves handled?
- Who actually triggers the changes – HR, line manager, IT?
For ISO 27001 Control 6.5, you want a clear, repeatable process that covers:
- Leavers (employees or external staff leaving the organisation completely)
- Movers (people changing roles inside the organisation)
- End of contract (external suppliers, consultants, or agencies whose engagement ends)
Ideally, you should:
- Document this in a JML or “employment lifecycle” procedure.
- Show how HR, IT, line managers, and information security work together.
- Make sure responsibilities after termination or change of employment are explicit, not implied.
Step 2 – Define Ongoing Responsibilities After Employment
ISO 27001 Control 6.5 expects you to be very clear about what continues after someone leaves.
Typical ongoing responsibilities include:
- Confidentiality obligations
– Not disclosing confidential or sensitive information after leaving
– Not sharing trade secrets, customer lists, technical documentation, or internal processes - Intellectual property rights
– Work created during employment usually belongs to the organisation
– Former staff should not reuse proprietary materials in ways that breach IP rights - Contractual commitments
– Non-disclosure agreements (NDAs)
– Any post-employment restrictions (within the law), where appropriate
To make ISO 27001 Control 6.5 work in practice, you should:
- Spell these out clearly in the employment contract or engagement agreement.
- Reference them in your information security policy and acceptable use policy.
- Remind people of these obligations as part of the leaver process (for example, in an exit email or meeting).
Step 3 – Formalise Responsibilities in Contracts and Policies
The standard expects this to be formal, not just “understood”.
Check that:
- Employment contracts and offer letters:
- Refer to confidentiality during and after employment
- Point to your information security policy and data protection obligations
- NDAs / confidentiality clauses:
- Cover what information is protected
- Clarify how long obligations last after termination
- Contractor / supplier agreements:
- Include clear information security and data protection clauses
- Cover what happens at the end of the engagement (return or deletion of data, system access removal, etc.)
For ISO 27001 Control 6.5, auditors will often ask:
“Show me where you define security responsibilities after termination,”
“Show me how this is applied to both employees and external parties.”
If you can point to contracts, NDAs, policies, and procedures that say this explicitly, you’re in good shape.
Step 4 – Handle Internal Role Changes (Movers) Safely
Control 6.5 is not just about people leaving – it also covers role changes.
When someone moves to a new role:
- Their old information security responsibilities should formally end.
- Their new responsibilities (and access) should be deliberately defined and assigned.
Practically, that means:
- Access review and adjustment
– Remove access thats no longer appropriate
– Grant only the new access they genuinely need (principle of least privilege)
– Update mailing lists, Teams / Slack channels, shared drives, CRM access, admin roles, etc. - Handover of responsibilities
– Identify security-relevant duties in the old role (e.g. approvals, system ownership, data stewardship)
– Assign these duties to a named successor
– Update documentation: RACI charts, contact lists, procedures - Communication
– Inform relevant colleagues, customers, and suppliers of the role change
– Provide updated contact details and escalation paths
Auditors often ask for an example of a recent role change and will check:
- What access was removed
- Who took over previous responsibilities
- How it was recorded
That’s all part of showing compliance with ISO 27001 Control 6.5.
Step 5 – Apply ISO 27001 Control 6.5 to External Personnel
Contractors, temporary staff, managed service providers, and suppliers often:
- Have access to your systems
- Handle your data
- Represent your organisation to clients
ISO 27001 Control 6.5 expects you to treat them with the same level of rigour.
You should:
- Reflect responsibilities after termination or change of employment directly in supplier and contractor contracts.
- Ensure contracts specify:
- How and when access will be removed at the end of the engagement
- How data will be returned or securely deleted
- Any ongoing confidentiality and IP obligations
- Integrate them into your JML process (even if they sit with procurement or vendor management rather than HR).
Make it absolutely clear who is responsible for:
- Raising and managing “leaver” requests for external personnel
- Confirming that assets are returned and access is revoked
Step 6 – Coordinate HR, IT, Line Managers, and Security
ISO 27001 Control 6.5 only really works if the right people talk to each other.
A robust process typically involves:
- HR
– Triggers leaver and role change workflows
– Ensures contracts include post-employment responsibilities
– Handles the people side (exit meetings, notifications) - Line managers
– Confirm what access and responsibilities the person had
– Arrange handover to other team members
– Validate that assets and information are accounted for - IT / Systems owners
– Disable accounts and remote access
– Remove the individual from shared mailboxes and groups
– Reassign ownership of shared resources where needed - Information Security / Data Protection
– Define expectations and policies
– Spot-check that the process is followed for leavers and movers
– Investigate any concerns about ongoing misuse of information
A simple way to demonstrate compliance with ISO 27001 Control 6.5 is to maintain:
- A standard leaver checklist
- A role change checklist
- Records showing who approved and completed each step
Step 7 – Communicate, Remind, and Reinforce
People are much more likely to honour post-employment responsibilities if they’re:
- Clearly stated at the start of employment
- Reinforced during employment
- Reminded at the point of leaving
Consider:
- Including a section on ongoing confidentiality and IP obligations in induction training.
- Referring to post-employment responsibilities in annual security and data protection training.
- Sending a concise exit email or letter summarising:
- What access has been removed
- What data must not be retained or used
- Ongoing confidentiality expectations and who to contact with questions
You don’t need to be heavy-handed. A clear, professional tone is enough to support ISO 27001 Control 6.5 and reduce the risk of accidental misuse later.
Quick Implementation Checklist for ISO 27001 Control 6.5
Use this checklist to review your current setup:
- ISO 27001 Control 6.5 (Responsibilities after termination or change of employment) is covered in your ISMS documentation.
- Employment contracts and NDAs clearly state post-employment confidentiality and IP obligations.
- Supplier / contractor contracts include security responsibilities during and after the engagement.
- A joiners–movers–leavers process is documented and includes leavers and internal role changes.
- For leavers:
- Access is removed or adjusted across all systems and tools.
- Devices, ID badges, tokens, and other assets are returned.
- Shared responsibilities are reassigned and documented.
- For movers:
- Old access is removed, not just new access added.
- Security-relevant duties are reassigned or updated.
- Internal and external stakeholders are informed where needed.
- External personnel (contractors, agencies, suppliers) follow a consistent termination / change process.
- HR, IT, line managers, and security know who does what and how the process is triggered.
- Processes are reviewed regularly to reflect legal changes, new systems, and lessons learned.
Bringing It All Together
ISO 27001 Control 6.5 – Responsibilities after termination or change of employment – is about closing the loop when people leave or move roles.
If you:
- Build responsibilities after termination into contracts and policies,
- Embed them into your joiners–movers–leavers process, and
- Coordinate HR, IT, managers, and security,
you’ll reduce the risk of ex-staff retaining access, misusing information, or accidentally walking away with sensitive data.
When an auditor asks, “What happens to security responsibilities when someone leaves or changes role?”, you’ll be able to show a clear, documented, and repeatable process – and that’s exactly what ISO 27001 Control 6.5 is looking for.